Bug 251041
Summary: | Squid cannot start NTLM auth helpers due to SELinux policy | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Leonid Zeitlin <lz> |
Component: | squid | Assignee: | Daniel Walsh <dwalsh> |
Status: | CLOSED CURRENTRELEASE | QA Contact: | Ben Levenson <benl> |
Severity: | low | Docs Contact: | |
Priority: | low | ||
Version: | 7 | ||
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Current | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2007-11-12 23:02:01 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Leonid Zeitlin
2007-08-06 18:12:21 UTC
Fixed in selinux-policy-2.6.4-34 Please pardon an ignorant question, but where can I find version 2.6.4-34? Can't seem to find it in updates or even CVS. Thanks. I have just submitted it for build. I am trying to only release on a weekly basis. So it should go to Fedora Testing on Friday. Confirm that selinux-policy-2.6.4-35 from testing solves the problem. Thanks! While the issue is fixed as of selinux-policy-2.6.4-35, now my audit log is full of these messages: type=AVC msg=audit(1191922803.673:467268): avc: denied { create } for pid=150 84 comm="ntlm_auth" scontext=root:system_r:winbind_helper_t:s0 tcontext=root:sys tem_r:winbind_helper_t:s0 tclass=udp_socket I wonder of these should be allowed, or else not audited. Looks like winbind_helper might be talking to dns? In Rawhide I allow this so I guess I will back port to FC7. Added in selinux-policy-2.6.4-48 With selinux-policy-2.6.4-48 the denials above are gone, thank you. However, when squid starts, a few denials are still logged: type=AVC msg=audit(1192697265.873:16787): avc: denied { read } for pid=7454 c omm="ntlm_auth" name="host.conf" dev=dm-3 ino=66420761 scontext=root:system_r:wi nbind_helper_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file type=AVC msg=audit(1192697265.873:16786): avc: denied { read } for pid=7454 c omm="ntlm_auth" name="nsswitch.conf" dev=dm-3 ino=66420786 scontext=root:system_ r:winbind_helper_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file type=AVC msg=audit(1192697162.366:16783): avc: denied { getattr } for pid=746 1 comm="ntlm_auth" name="[3631756]" dev=sockfs ino=3631756 scontext=root:system_ r:winbind_helper_t:s0 tcontext=root:system_r:squid_t:s0 tclass=unix_stream_socke t Fixed selinux-policy-2.6.4-49 Confirm that selinux-policy-2.6.4-49 fixes the denials on startup. I think the issue can be closed. |